800-53|SI-10

Title

INFORMATION INPUT VALIDATION

Description

The information system checks the validity of [Assignment: organization-defined information inputs].

Supplemental

Checking the valid syntax and semantics of information system inputs (e.g., character set, length, numerical range, and acceptable values) verifies that inputs match specified definitions for format and content. Software applications typically follow well-defined protocols that use structured messages (i.e., commands or queries) to communicate between software modules or system components. Structured messages can contain raw or unstructured data interspersed with metadata or control information. If software applications use attacker-supplied inputs to construct structured messages without properly encoding such messages, then the attacker could insert malicious commands or special characters that can cause the data to be interpreted as control information or metadata. Consequently, the module or component that receives the tainted output will perform the wrong operations or otherwise interpret the data incorrectly. Prescreening inputs prior to passing to interpreters prevents the content from being unintentionally interpreted as commands. Input validation helps to ensure accurate and correct inputs and prevent attacks such as cross-site scripting and a variety of injection attacks.

Reference Item Details

Category: SYSTEM AND INFORMATION INTEGRITY

Family: SYSTEM AND INFORMATION INTEGRITY

Priority: P1

Baseline Impact: MODERATE,HIGH

Audit Items

View all Reference Audit Items

NamePluginAudit Name
1.8.1.2 Ensure 'Custom Markup Warning' is set to EnabledWindowsCIS Microsoft Office Word 2016 v1.1.0
1.8.1.2 Ensure 'Custom Markup Warning' is set to EnabledWindowsCIS Microsoft Office Word 2013 v1.1.0
4.1 Ensure 'maxAllowedContentLength' is configuredWindowsCIS IIS 8.0 v1.5.1 Level 2
4.1 Ensure 'maxAllowedContentLength' is configured - ApplicationsWindowsCIS IIS 7 L2 v1.8.0
4.1 Ensure 'maxAllowedContentLength' is configured - DefaultWindowsCIS IIS 7 L2 v1.8.0
4.2 Ensure 'maxURL request filter' is configuredWindowsCIS IIS 8.0 v1.5.1 Level 2
4.2 Ensure 'maxURL request filter' is configured - ApplicationsWindowsCIS IIS 7 L2 v1.8.0
4.2 Ensure 'maxURL request filter' is configured - DefaultWindowsCIS IIS 7 L2 v1.8.0
4.3 Ensure 'MaxQueryString request filter' is configuredWindowsCIS IIS 8.0 v1.5.1 Level 2
4.3 Ensure 'MaxQueryString request filter' is configured - ApplicationsWindowsCIS IIS 7 L2 v1.8.0
4.3 Ensure 'MaxQueryString request filter' is configured - DefaultWindowsCIS IIS 7 L2 v1.8.0
4.4 Ensure non-ASCII characters in URLs are not allowedWindowsCIS IIS 8.0 v1.5.1 Level 2
4.4 Ensure non-ASCII characters in URLs are not allowed - ApplicationsWindowsCIS IIS 7 L2 v1.8.0
4.4 Ensure non-ASCII characters in URLs are not allowed - DefaultWindowsCIS IIS 7 L2 v1.8.0
6.6 Control the maximum size of a POST request that will be parsed for parameterUnixCIS Apache Tomcat 8 L1 v1.1.0 Middleware
10.8 Do not allow additional path delimiters (ALLOW_BACKSLASH)UnixCIS Apache Tomcat 7 L2 v1.1.0
10.8 Do not allow additional path delimiters (ALLOW_BACKSLASH)UnixCIS Apache Tomcat 7 L2 v1.1.0 Middleware
10.8 Do not allow additional path delimiters (ALLOW_ENCODED_SLASH)UnixCIS Apache Tomcat 7 L2 v1.1.0
10.8 Do not allow additional path delimiters (ALLOW_ENCODED_SLASH)UnixCIS Apache Tomcat 7 L2 v1.1.0 Middleware
10.19 Setting Security Lifecycle Listener (check for config component)UnixCIS Apache Tomcat 7 L1 v1.1.0
10.19 Setting Security Lifecycle Listener (check for config component)UnixCIS Apache Tomcat 7 L1 v1.1.0 Middleware
35 - Do not allow custom header status messagesUnixTNS Best Practice Jetty 9 Linux
Big Sur - Information Input ValidationUnixNIST macOS Big Sur v1.4.0 - 800-53r5 Moderate
Big Sur - Information Input ValidationUnixNIST macOS Big Sur v1.4.0 - All Profiles
Big Sur - Information Input ValidationUnixNIST macOS Big Sur v1.4.0 - 800-53r5 High
Big Sur - Must behave in predictable and documented mannerUnixNIST macOS Big Sur v1.4.0 - All Profiles
BIND-9X-001060 - A BIND 9.x caching name server must implement DNSSEC validation to check all DNS queries for invalid input.UnixDISA BIND 9.x STIG v2r3
Catalina - Information Input ValidationUnixNIST macOS Catalina v1.5.0 - 800-53r5 Moderate
Catalina - Information Input ValidationUnixNIST macOS Catalina v1.5.0 - 800-53r5 High
Catalina - Information Input ValidationUnixNIST macOS Catalina v1.5.0 - All Profiles
Catalina - Must behave in predictable and documented mannerUnixNIST macOS Catalina v1.5.0 - All Profiles
DB2X-00-005900 - DB2 must check the validity of all data inputs except those specifically identified by the organization.IBM_DB2DBDISA STIG IBM DB2 v10.5 LUW v2r1 Database
DB2X-00-006000 - DB2 and associated applications must reserve the use of dynamic code execution for situations that require it.IBM_DB2DBDISA STIG IBM DB2 v10.5 LUW v2r1 Database
DB2X-00-006100 - DB2 and associated applications, when making use of dynamic code execution, must scan input data for invalid values that may indicate a code injection attack.IBM_DB2DBDISA STIG IBM DB2 v10.5 LUW v2r1 Database
DB2X-00-009300 - When invalid inputs are received, DB2 must behave in a predictable and documented manner that reflects organizational and system objectives.IBM_DB2DBDISA STIG IBM DB2 v10.5 LUW v2r1 Database
DKER-EE-001080 - The audit log configuration level must be set to request in the Universal Control Plane (UCP) component of Docker Enterprise.UnixDISA STIG Docker Enterprise 2.x Linux/Unix UCP v2r1
DKER-EE-001090 - The host operating systems auditing policies for the Docker Engine - Enterprise component of Docker Enterprise must be set - docker pathsUnixDISA STIG Docker Enterprise 2.x Linux/Unix v2r1
DKER-EE-001090 - The host operating systems auditing policies for the Docker Engine - Enterprise component of Docker Enterprise must be set - docker servicesUnixDISA STIG Docker Enterprise 2.x Linux/Unix v2r1
EP11-00-006200 - The EDB Postgres Advanced Server must check the validity of all data inputs except those specifically identified by the organization.PostgreSQLDBEDB PostgreSQL Advanced Server v11 DB Audit v2r3
EP11-00-006300 - The EDB Postgres Advanced Server and associated applications must reserve the use of dynamic code execution for situations that require it.PostgreSQLDBEDB PostgreSQL Advanced Server v11 DB Audit v2r3
EP11-00-006400 - The EDB Postgres Advanced Server and associated applications, when making use of dynamic code execution, must scan input data for invalid values that may indicate a code injection attack.PostgreSQLDBEDB PostgreSQL Advanced Server v11 DB Audit v2r3
EP11-00-009700 - When invalid inputs are received, the EDB Postgres Advanced Server must behave in a predictable and documented manner that reflects organizational and system objectives.PostgreSQLDBEDB PostgreSQL Advanced Server v11 DB Audit v2r3
EPAS-00-006200 - The EDB Postgres Advanced Server must check the validity of all data inputs except those specifically identified by the organization.PostgreSQLDBEnterpriseDB PostgreSQL Advanced Server DB v1r1
EPAS-00-006300 - The EDB Postgres Advanced Server and associated applications must reserve the use of dynamic code execution for situations that require it.PostgreSQLDBEnterpriseDB PostgreSQL Advanced Server DB v1r1
EPAS-00-006400 - The EDB Postgres Advanced Server and associated applications, when making use of dynamic code execution, must scan input data for invalid values that may indicate a code injection attack.PostgreSQLDBEnterpriseDB PostgreSQL Advanced Server DB v1r1
EPAS-00-009700 - When invalid inputs are received, the EDB Postgres Advanced Server must behave in a predictable and documented manner that reflects organizational and system objectives.PostgreSQLDBEnterpriseDB PostgreSQL Advanced Server DB v1r1
F5BI-AF-000229 - The BIG-IP AFM module must be configured to handle invalid inputs in a predictable and documented manner that reflects organizational and system objectives.F5DISA F5 BIG-IP Advanced Firewall Manager STIG v2r1
F5BI-AP-000229 - The BIG-IP APM module must be configured to handle invalid inputs in a predictable and documented manner that reflects organizational and system objectives.F5DISA F5 BIG-IP Access Policy Manager STIG v2r3
F5BI-AS-000229 - The BIG-IP ASM module must be configured to handle invalid inputs in a predictable and documented manner that reflects organizational and system objectives.F5DISA F5 BIG-IP Application Security Manager STIG v2r1
F5BI-AS-000261 - The BIG-IP ASM module must check the validity of all data inputs except those specifically identified by the organization.F5DISA F5 BIG-IP Application Security Manager STIG v2r1